Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation

Securing your DevOps Pipeline
Justin Fox, Lead Solutions Architect

©2017 NuData Security Inc., A Mastercard Company. Proprietary.@mastercardnews I #saferpayments
• About NuData Security
• Disclaimer
• Leveraging CI/CD
• Security vs Compliance
• CIS Benchmarks for AWS
Agenda
SECURING YOUR DEVOPS PIPELINE ON AWS
DevOps Cloud Summit – Toronto 2017

• Four Integrated Technology Layers:
– Behavioral Biometrics
– Behavioral Analytics
– Device & Access Intel
– Cloud Consortium of Trusted Intelligence
• Quick facts:
– 100 Billion Behavioral Events Monitored Annually
– 4.3 Billion Behavioral Identity Profiles
– 100% Real-time
• Learn how to prevent more fraud: sales@nudatasecurity.com
About NuData Security

• Lead Solutions Architect
– NuData Security’s Platform Team
• Previously:
– DevOps Engineer
– Systems Adminsitrator
• Sometimes more of a Chaos Engineer 
• Website: https://justinfox.me
• Twitter: @666jfox777
About Justin Fox

• All views expressed in this presentation are my own and do
not represent the opinions of any entity with which I have
been, am now, or will be in the future affiliated with.
• Presentations are intended for educational purposes only and
do not replace independent professional judgment.
• Attendees should note that sessions are audio-recorded and
may be published in various media, including print, audio and
video formats without further notice.
Disclaimer

• A few terms:
– Continuous Integration
– Continuous Delivery
– Continuous Deployment
– Continuous Release
• AWS Definitions:
– Continuous delivery is a software development methodology where
the release process is automated.
– Continuous integration is a software development practice where
members of a team use a version control system and frequently
integrate their work to the same location, such as a master branch.
What is Continuous [term]

• What do you automate with Jenkins?
– Deploying AMIs or software updates?
– Creating, updating, deleting CloudFormation stacks?
– Managing Auto Scaling Groups?
– … and otherwise simplify complex tasks through automation
• How do you grant access?
– User / password?
– Hidden behind a VPN?
– 2F MFA?
– Shared service users?
Using Jenkins to Automate AWS Actions

• Sloppy, old, or “legacy” code or
automation scripts
• Old, vulnerable versions of
Jenkins
• Default users, left enabled
• Ex-employee accounts, or
similarly forgotten accounts
• Developers who want to get
work done
• … there might be many ways in,
all that matters is that it
succeeds once!
The Threat(s)

• Jenkins was created using automation
• Administrative user logs in with initial account
– Configures LDAP
• Users add jobs, pipelines, and various configuration
• Months later, the Administrative user walks in one morning…
– All S3 data deleted, instance counts maxed out, limits maxed
out
• … That administrative user never deleted the initial account
• The IAM role on Jenkins let the attacker run random API calls
What if?

• During all phases of all the projects that you work on, consider the
security aspect.
• Examples:
– “We need a service user…”
– “That’s the vendor’s default account…”
• Consider what permissions you hand out – you never know how
they could be used!
• Remember, you never know where your users/code will end up!
• Set up monitoring and alerting for your AWS accounts!
Consider Security

• Have you heard of:
– CodeCommit?
– CodeBuild?
– CodeDeploy?
– CodePipeline?
– Elastic Beanstalk?
– CloudFormation?
– Lambda?
• The goal is to reduce the
number of permission we give
to Jenkins
• Developers only need limited
permissions => CodeCommit
access!
• Jenkins should only need
limited AWS permissions as
well!
Improving Security using AWS

• CodeCommit
Developers commit code.
• CodeBuild
Build code artifacts and store them on S3.
• CodeDeploy
Deploy artifacts to instances (AWS or elsewhere)
• CodePipeline
Monitors for changes in each stage and triggers the event.
AWS Developer Tools

AWS Developer Tools (graphic)

• Security and compliance are not the same!
– Security protects your information from threats by controlling
how that information is used, consumed and provided.
– Compliance is a demonstration — a reporting function — of
how your security program meets specific security standards
as laid out by regulatory organizations.
• Compliance defines minimum security level!
• You are NOT doing it to impress an auditor; you are doing it to
stop an attacker!
Security vs Compliance

• Compliance Certificates:
– SOC (1,2,3), PCI, ISO 9001 / 27001 / 27017 / 27018
– HIPAA BAA, IRAP, MTCS, C5
– FedRAMP (Moderate / High)
– DoD CC SRG IL2, DoD CC SRG IL4, DoD CC SRG IL5
• See: https://aws.amazon.com/compliance/services-in-scope/
• DoD CC SRG = Department of Defense Cloud Computing Security Requirements Guide
• IRAP = InfoSec Registered Assessors Program
• MTCS = Multi-Tier Cloud Security
• C5 = Cloud Computing Compliance Controls Catalogue
AWS Services Compliance

AWS Compliance Examples
AWS Service SOC 1, 2, 3 PCI ISO HIPAA BAA C5
IAM √ √ √ √
VPC √ √ √
CloudTrail √ √ √ √
AutoScaling *In Progress*
SNS *In Progress*
SQS √ √ √ √ √
DynamoDB √ √ √ √ √

• CIS = Centre for Internet Security
• Provides guidance for configuring
security features for a variety of
systems.
• Examples:
– CentOS
– Apache
– AWS
– Etc
• Targets AWS Technologies (in 4
sections):
– IAM
– Config
– CloudTrail
– CloudWatch
– SNS
– S3
– VPC
CIS Benchmarks for AWS

• There are 24 IAM recommendations
• Benchmark Examples (3/24):
– Ensure multi-factor authentication (MFA) is enabled for all
IAM users that have a console password
– Ensure IAM instance roles are used for AWS resource
access from instances (Not Scored)
– Ensure IAM policies that allow full "*:*" administrative
privileges are not created
IAM

• There are 8 Logging recommendations
– Ensure CloudTrail is enabled in all regions
– Ensure AWS Config is enabled in all regions
– Ensure CloudTrail logs are encrypted at rest using KMS
CMKs
Logging

• There are 15 Monitoring recommendations
– Ensure a log metric filter and alarm exist for unauthorized
API calls
– Ensure a log metric filter and alarm exist for Management
Console sign-in without MFA
– Ensure a log metric filter and alarm exist for usage of "root"
account
• Note: some AWS services may show as the ”root” account
Monitoring

• There are 5 networking recommendations
– Ensure no security groups allow ingress from 0.0.0.0/0 to
port 22
– Ensure no security groups allow ingress from 0.0.0.0/0 to
port 3389
– Ensure VPC flow logging is enabled in all VPCs
Networking

Ok, now what?

• AWS Config Rules  We’re going to talk about this one
• AWS Partners:
– https://www.alertlogic.com/
– https://evident.io/cloud-security-compliance-for-aws/
– https://www.threatstack.com/
• Monitoring system?
– Nagios, Zabbix, Sensu, etc.?
How to Monitor / Enforce?

• Generally used to target specific resource types
• Examples:
– IAM Users MFA Enabled
– VPC Flow Logging Enabled
– S3 Buckets have Access Logs
AWS Config Rules: Triggered Rules

• Called “Periodic”.
• Generally used to target GLOBAL resources.
• Examples:
– Root Account MFA Enabled
– CloudTrail Enabled
– Config Enabled
– CloudTrail Log Encryption Enabled
AWS Config Rules: Scheduled Rules

1. COMPLIANT
2. NON_COMPLIANT
3. NOT_APPLICABLE
• If you’re seeing a lot of “NOT_APPLICABLE”, adjust your rule.
– It’s costing you money.
AWS Config Rules: Result States

• Time for some technical
examples!
• AWS Config Rules is used to
provide a dashboard overview
and manage alert
configuration
• AWS Config Rules allows for
Triggered and Scheduled
rules
• AWS Lambda is my tool of
choice for detection /
remediation
Examples:
1. Ensure multi-factor
authentication (MFA) is
enabled for all IAM users
that have a console
password
2. Ensure CloudTrail is enabled
in all regions
3. Ensure VPC flow logging is
enabled in all VPCs
Examples

if (resourceType == 'AWS::IAM::User') {
iam.listMFADevices({ UserName:
invokingEvent.configurationItem.resourceName }, function(err, mfa) {
var compliance = 'NON_COMPLIANT';
if (!err) {
if (mfa.MFADevices.length > 0) {
compliance = 'COMPLIANT';
}
} else {
console.log(err);
}
putEval(event,context,resType,resId,compliance,timestamp);
});
} else {
putEval(event,context,resType,resId,'NOT_APPLICABLE',timestamp);
}
Example #1 – MFA for IAM Users

readSnapshot(s3, s3key, s3bucket, function(err, snapshot) {
if (err === null) {
for (var i = 0; i < snapshot.configurationItems.length; i++) {
var item = snapshot.configurationItems[i];
if (item.resourceType === 'AWS::CloudTrail::Trail') {
if (item.configuration.isMultiRegionTrail) {
}
}
}
} else {
context.fail(err);
}
});
Example #2 – AWS CloudTrail Enabled

ec2.describeFlowLogs(
{ Filter: [ { Name: 'resource-id', Values: [ resourceId ] } ]
},
function(err, data) {
if (!err) {
if (data.FlowLogStatus == 'ACTIVE') {
}
}
});
Example #3 – VPC Flow Logging

Example #4 – AWS Config Rules

• Note: Time dependant, don’t worry folks links at the end for
walkthroughs and examples!
• CodeCommit => CodeBuild => CodeDeploy w/ CodePipeline
• Config Rules + Dashboard
Demo

• Tryout CodePipeline for your CI/CD pipeline
• Add auto remediation to the AWS Config Rules example
– E.g.: Disable IAM user keys when they expire.
• Use AWS CloudWatch Events to intercept API calls
– E.g.: Don’t allow AWS CloudTrail to be disabled!
• Use AWS CloudWatch Events like CROND.
• Use AWS Service Catalog to provide AWS CloudFormation Templates for
reuse
• If you enjoyed this session, be sure to check out my blog:
https://justinfox.me/
Follow-up

• For today’s slides:
https://justinfox.me/articles/devopscloudsummit-toronto-2017
• Related Blog Posts:
https://justinfox.me/articles/compliance-with-aws-config
https://justinfox.me/articles/aws-developer-tools-for-cicd
• Github Repository:
https://github.com/666jfox777/aws-config-rules-template
https://github.com/666jfox777/aws-codepipeline-example
Questions

Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation

More Related Content

More from TriNimbus (16)

Recently uploaded (20)

Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation

Editor's Notes